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(57) Abstract 

A secure terminal is disclosed which has a single keypad (4) and display (6) which is suitable as a debit terminal, as both 
confidential and nonconfidential information can be entered. Confidential information is entered in secure text mode whereas 
nonconfidential information is entered ui clear text mode. The terminal defaults to secure text mode where all information is en- 
crypted. In clear text mode all prompts are independently authenticated by a secure module (8) prior to displaying of the prompt. 
Prompts for clear text mode are preprogrammed preferably with an Authentication Parameter which is confirmed by the secure 
module whenever that prompt is used in clear text mode. The invention is also directed to the methods for rendering a terminal 
and system secure for receiving confidential and nonconfidential information. 
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T?;T^E; COMBINATION PIN P AD AND TERMTNAT. 

FIFLp OF THE INVENT j^QN 

The present invention relates to terminals, such as 
5 point of purchase terminals which are required to receive 
both nonconfidential data and confidential data. In 
particular, the invention is directed to a terminal having 
one key pad by means of which confidential data can be 
entered in a secure manner and nonconfidential data can be 
10 transmitted in a nonsecure manner. 

BACKGROUND O F THE INVENTION 

Point of purchase terminals or other terminals 
which receive both confidential and nonconfidential 
15 information are known. Terminals for debit card 

transactions are known where certain information is 
confidential, such as PINs (personal identification 
number) , and other information is nonconfidential, such as 
the purchase price of a product. Other confidential 
20 information could include the account balance whereas 

license plate identification for a gas purchase would be 
nonconfidential . 

Initial terminals had two entry keypads , one of 
which could be for nonconfidential information and having 
25 its own separate display and the other being a dedicated 
keypad for confidential information, such as the PIN. 
Typically, the keypad for inserting confidential 
information could be separated and the user could actually 
shield the keypad during the entry of the confidential 
30 information. Although the keypad for the confidential 

information typically had a display, only prompts came up 
on. the display and the confidential information was not 
displayed . 

There has been a need to reduce the space occupied 
35 by such point of purchase terminals and there are now point 
of purchase terminals having a single display and a single 
keypad for receiving both confidential and nonconfidential 
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information. Unfortunately, the degree of security which 
was previously present with a separate keyboard for 
confidential information has not been provided in these 
combined confidential and nonconfidential information 
5 keyboards and there is a higher risk that these devices 
could be tampered with to reveal confidential information 
of the user. The entire system is based on the premise of 
the PIN being maintained in a confidential manner, as this 
is in effect the signature of the user and his 

10 authorization. There remains a need to provide a system 
which reduces the size of the point of purchase terminal 
while maintaining a high degree of security with respect to 
the entry of confidential information and the operation of 
the terminal such that it can only operate in a secure 

15 manner with respect to prompts which would produce the 
entry of confidential information. 

SUMMARY OF THE INVENTION 

A debit or other terminal, according to the present 

20 invention, comprises a secure module, a display, a keyboard 
and a nonsecured portion. The secure module controls the 
communication of data and prompts between the keyboard, the 
display and the nonsecured portion of the terminal in 
either a clear text mode or a secure text mode. The 

25 keyboard allows the entry of either clear text or secure 
text. The nonsecured portion of the terminal has a 
predetermined group of paired prompts and authentication 
parameters that are authorized for clear text mode , The 
secure module also has confirmation means to independently 

30 confirm that the prompt of a prompt pair received from the 
nonsecured portion is a proper prompt for clear text mode 
prior to coiratiunication of the prompt to the display. With 
this arrangement, if the terminal was operating in clear 
text, which is a nonsecured mode, the prompt is confirmed 

35 to be a proper prompt by the secure module prior to 

allowing the prompt to be communicated to the display or 
before data can be entered at the keypad. In this way. 
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when the device is operating in clear text mode,, each 
prompt is reviewed and confirmed to be a proper prompt. 
The terminal in secure text mode dofes not authenticate each 
prompt, as the signals are being transmitted in secure text 
5 mode and, thus, are encrypted or appropriately process by 
the secure module. with this arrangement, a more secure 
terminal is realized while achieving the benefits of 
reduced size of the debit terminal due to the use of a 
common display and keyboard for both clear text and secure 

10 text modes . 

The present invention is also directed to the 
loading of the terminal and the combination host secure 
module and terminals and the various methods carried out by 
each of the components and the various combinations 

15 thereof. 

BRIEF DE.qC RIPTION OF THE DRAWTN^.q 

Preferred embodiments of the invention are shown in 
the drawings, wherein: 
20 Figure 1 is a schematic of the terminal; 

Figure 2 is a schematic showing communication 
between a host secure module and a terminal typically used 
when the terminal is being programmed; 

Figure 3 is a schematic of the terminal in 
25 conununication with a financial institute such as would be 
the case when a transaction is occurring; 

Figure 4 illustrates an authentication check of a 
terminal; 

Figure 5 illustrates the key hierarchy; 
30 Figure 6 illustrates key loading of a terminal; and 

Figure 7 is a chart overview of the terminal and 
host secure module . 



35 



PETAI^ED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Data encryption as used herein normally refers to 
Data Encryption Standard, NBS FIPS PUB 46, Federal 
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Information Processing Standards Publication (15-1-1977) . 
Reference is made to the following publications: 

DES Modes of Operation, NBS FIPS PUB 81, Federal 
Information Processing Standards Publication (2-12-1980); 
5 ANSI X3. 28-1976, Subcategory 2.4 Establishment and 

Termination Control Procedures 1976; 

Financial Institution Retail Message 
Authentication, American Bankers Association, ANSI X9.19- 
1986 (MAC); 

10 Personal Identification number (PIN) Management and 

Security, ANSI X9. 8-1982; 

ISO 8730, ISO Standard for Message Protection; and 

ISO 9564, ISO Standard for PIN Protection. 

The terminal shown as 2 includes a common keypad 4, 

15 a common display 6, a secure module 8, a nonsecure module 
10, a communication port 12 and a counter 14 . The secure 
module 8 includes various encryption and decryption 
software and circuitry which is extremely difficult to 
access or to evaluate. The secure module does include some 

20 memory, however, much of the memory is used for operating 

the software of the secure module . The nonsecure module 10 
is readily accessible and certain functions of the terminal 
are stored in the nonsecure module. The nonsecure module 
also includes various applications which normally control 

25 the terminal by producing prompts and receiving and 

communicating data. The communication port 12 allows the 
terminal 2 to be connected to a financial institute or 
other body which is essentially okaying the transaction. 
The terminal 2 would be provided on a counter 

30 adjacent a retailer's cash register, for example, and it is 
desirable to have this terminal as small as possible, as 
the space at the counter is at a premium. This has forced 
the terminal to use the common keyboard and common display 
for receiving prompts or entry of data in either a clear 

35 text mode or a secure text mode. 

For example, clear text mode would include such 
data as telephone numbers, merchant I.D.'s, amount to be 
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debited, etc, which is data that does not need to be 
encrypted. In contrast, PiNs (Personal Identification 
Numbers) are entered into the terminal and this type of 
data must be secure te.xt, i.e. the data must be encrypted 
5 and appropriately processed by the secure module. For 
example, entry of the PIN does not get displayed on the 
display. Typically an asterisk is shown for each entry. 
Other data might also be transmitted in secure text mode 
such as account balances, etc. which would be confidential 
10 information for the eyes of the card holder alone ♦ 

By producing a terminal having a common keyboard 
and a common display where data is entered through the 
keyboard in either a clear text mode or secure text mode, 
there is a higher risk that the security of the secured 
15 text is reduced. 

In order to reduce the possibility of secured text 
being displayed, the terminal is configured by means of the 
secure module to always default to secure text and to only 
transmit in clear text, and in particular to only transmit 
20 a prompt to the display, when the device is in clear text 
mode when that prompt has been independently authenticated 
by the secure .module . 

In order to more fully understand the system of the 
present invention, it is beneficial to consider the steps 
25 that are undertaken to initially program the terminal as 

indicated in Figure 2 where various data is loaded into the 
terminal 2 by means of the host secure module 30. The host 
secure module (HSM) will program the terminal 2 typically 
in an extremely secure environment. The host secure module 
30 includes the functions of a secure key generation/key 

injection facility. Typically during initialization, the 
HSM creates a double length key transfer key (KTK) and a 
single length data transfer key (DTK) . The host secure 
module then encryptes the single length DTK using the 
35 double length KTK and a triple encryption process which 

results in an encrypted DTK indicated as eKTK (DTK) . A DTK 
check value is also generated by encrypting 64 binary zeros 
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using the DTK* This results in a eDTK(O) . The HSM may 
also be instructed to generate a new Password to be used by 
the secure module (see Figure 5) . Both the old and new 
passwords are encrypted using the KTK. This results in 
5 eKTK(new Password) and eKTK(old Password), Various prompts 
are identified or inputted into the HSM which prompts are 
to be used during clear text entry. The HSM generates a 
standard 32 bit MAC for each prompt by processing the 
prompt and the DTK using the MACing software. If the 

10 prompt is not a multiple of 8 bytes, then the prompt is 

padded with binary zeros until it is. It is also assumed 
that the initial vector used in the MAC process is all 
binary zeros. The KTK, eKTK{old Password), eKTK(new 
Password), eKTK (DTK) , eDTK(O) and each Prompt and 

15 associated MAC is forwarded to the secure module of the 
terminal . 

The secure module loads the KTK, eKTK(old Password) 
and eKTK(new Password) . The secure module decrypts 
eKTKCold Password) to obtain "old Password" which it 

20 compares with the one it currently holds. If there is a 

match, then eKTK(new Password) is decrypted to obtain "new 
Password" and both "new password" and "KTK" are installed 
in the secure module. If there is no match, then an error 
status is returned and no action is taken. 

25 If the KTK and new Password are successfully 

installed, then the secure module loads the eKTK(DTK) and 
eDTK(O) . The secure module then decryptes the eKTK(DTK) to 
get the DTK and encryptes the 64 binary zeros using the DTK 
to get eDTK(O) . This check value, namely the eDTK(O), is 

30 then compared with the received eDTK(O) . If these values 
match, then the DTK is accepted. The secure module then 
generates two independent keys, namely RNl (Random Number 
1) and RN2 (Random Number 2) . The prompts and MAC pairs 
received from the HSM are loaded. The prompt is reMACed 

35 within the secure module and the resulting MAC is compared 
with the one sent from the HSM. If they are identical, 
then the prompt is accepted as valid. A valid prompt is 
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then processed using RNl to MAC the prompt ^ the 32 bit MAC 
is concatenated with 32 binary zeros and the result is 
encrypted using RN2 • The result of the RN2 encryption is 
called an Authentication Parameter <AP) and is stored in 
5 the nonsecure module's main memory coupled with the 

associated prompt. With this arrangement, the terminal in 
the nonsecure module 10 has various pairs of prompts and 
their respective authentication parameters. The nonsecure 
module also includes application software for the 
10 generation of certain prompts or the passage of prompts to 
the display 6 via the secure module. The secure module is 
basically told by the nonsecure module to operate in a 
clear text mode or a secure text mode. When it is told to 
operate in the clear text mode, each prompt which is 
15 provided to the secure module by the nonsecure module has 
tagged thereto an authentication parameter. The secure 
module then takes the prompt and, in combination with 
Random Number 1 and Random Number 2, produces its own 
authentication parameter and when a match is obtained 
20 between the generated authentication parameter in the 
secure module and the authentication parameter that is 
associated with the prompt, then the prompt is transmitted 
to the display 6. In this way, the secure module has 
confirmed that this is an appropriate prompt for clear text 
25 mode. Each prompt that is forwarded to the secure module 
when the secure module is operating in the clear text mode 
is authenticated in the above manner. In this way, it is 
extremely difficult to reprogram the terminal to enter a 
prompt which is a prompt that should receive data in the 
30 secure text mode. The authentication parameter for each 
prompt will be unique to that prompt in that terminal. 
This is the result of generating different RNl and RN2 in 
each terminal. Even though the same prpmpts may reside in. 
many different terminals, the associated Authentication 
35 Parameter will be unique to each terminal. In some 

applications. Random Number 1 and Random Number 2 can equal 
the DTK. This is particularly useful where many security 
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modules share a common nonsecure module. In this way, each 
terminal is unique and even knowledge of one terminal does 
not provide knowledge with respect to the other terminals . 
Furthermore, due to the security afforded to the keys by 
5 the security module and the encryption algorithm, it would 
be extremely difficult to ascertain the key. A summary 
chart showing the various functions of the host secure 
module and the various parts of the terminal is attached. 



10 includes a protected counter 14 which cannot be reset or 

tampered with without use of keys and passwords. Each time 
the secure module records an incorrect authentication 
value, it will increment counter 14. The maximum value of 
this counter is settable at the configuration time by the 

15 host secure module and once the maximum value has been 

reached, the secure module will no longer allow clear text 
entry until a purging or reauthorizing step has been 
carried out. Thus, each terminal will effectively shut 
itself down for clear text mode if the expected 

20 authentication processes are not occurring. This provides 
a fixed value on the number of times a would-be thief can 
query the system to try to determine how it works. This 
reauthorization step is carried out by loading the KTK in 
the clear. Since the load command is password protected, 

25 only the person or device possessing the password will be 
allowed to load, and thus reinitialize, the KTK. 



of security is accomplished, in that the terminal defaults 
to secure text mode, and when operated in clear text mode, 

30 each prompt has to be independently authenticated prior to 
transmission to the display. With such an arrangement, 
only prompts which have been properly introduced to the 
terminal and subsequently processed by the secure module to 
produce an authentication parameter for each prompt can 

35 operate the terminal in clear text mode. Any attempt to 
change, the plrompt will result in the authentication 
parameter being incorrect for that given prompt. The 



In addition to the above system, the terminal 2 



With the terminal as described above, a high degree 
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degree of encryption associated with the authentication 
parameter of each prompt is extremely high, involving 
several different keys, and being extremely difficult to 
decipher. Furthermore, the secure module is specifically 
5 designed so that its internal processes cannot be observed 
or modified. 

With this terminal, a high degree of security of 
confidential information is maintained while achieving the 
space saving possible by means of a terminal using a common 

10 keypad and display. Additional features can be added to 
the system, such as the use of passwords providing a 
further level of protection with respect to the key 
transfer key, as well as a key hierarchy where the display 
transfer key is below the key transfer key and is a new key 

15 for terminals. A further feature of this terminal is that 
the host secure module determines what prompts are to be 
used for clear text mode, and it is only these prompts 
which allow the terminal to operate in clear text mode. 
All other prompts result in the device not transmitting the 

20 prompts to the display or the device working in secure text 
mode . 

It is also possible to further enhance security of 
the overall system by assessing the secure module of a 
terminal in the following manner and as shown in Figure 4. 

25 Prior to injecting cryptographic keys and other 

sensitive or secret information into an unknown secure 
module of a terminal, it is desirable to verify that the 
contents of the SM are the same as those of a known 
"reference" SM. This is accomplished in such a way that 

30 the contents are not actually known, but that an identical 
process is performed on both the reference and unknown SMs. 
If the results of executing this process in both reference 
and unknown are the same, then it can be inferred that the 
contents are the same. The process used in the terminal 

35 utilizes the MACing software in the SM and a cryptographic 
• key (called the Authentication Key or AK) . 
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This process of verifying the contents of the SM 
can be done at any time during the life of the product. 
This allows a central site to send an encrypted AK to the 
SM in, say, a retail shop and simultaneously send an 
5 encrypted AK to the reference SM (held securely at the 

central site) . The process outlined below is executed in 
both SMs and the results sent back to the central site for 
comparison. If they do not match, then this may indicate 
that the SM in the terminal at the retail site has been 
10 tampered with. 

Operation Steps: 

1) The HSM generates a KTK and an AK, 

2) The KTK is injected into the reference SM and 
15 the unknown SM. 

3) The AK is encrypted using the KTK (eKTK (AK) ) and 
sent to the reference SM and the unknown SM. 

4) Both the reference SM and the unknown SM 
decrypt the eKTK(AK) using the KTK previously 

20 injected. 

5) Both reference and unknown terminals MAC the 
same block of SM memory and return the results. 

6) The HSM compares the two results and if they 
are the same, then the unknown terminal is 

25 assumed to have the same software as the 

reference terminal . 

Password Controlled KTK Loading 

Fraud of the kind commonly called spoofing (i.e. to 

30 fool) can be perpetrated by injecting known cryptographic 
keys into the SM. Since the SM has a hierarchical key 
structure (i.e. any key, except the top level, must be 
loaded into the SM encrypted under the key above it in the 
hierarchy), the top level must be protected from 

35 unauthorized modification. If this is done, then the 
entire hierarchy is protected. 
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The SM has a 64 -bit long password. There will be 
an initial or default password, such as "VERIFACT" . This 
initial password should be changed to a password known only 
to the HSM when the initial KTK is injected. The new 
5 password should be generated with as much randomness as 
that afforded the generation of a cryptographic key. 
Having injected this new password into the SM, it becomes 
virtually impossible for an attacker with no knowledge of 
the password to inject a known KTK. 
10 The key hierarchy is shown in Figure 5. 

Password and KTK Controllf^H T.n adina of 
System Configuration Inf orm;^f' 

The SM has a mechanism for receiving conf igtaration 
15 information that defines the keyboard, the key management 

scheme to be used, and allows for the setting and resetting 
of the tamper detection counter, called the security 
counter. This mechanism must be protected from casual or 
concerted efforts to alter any of the settings. This is 

20 accomplished by coupling the password and KTK through 
encryption (eKTK (password) ) . Alteration of this 
information will be allowed only if the correct 
eKTK (password) cryptogram is presented to the SM. This 
forces the attacker to guess both the KTK and the password, 

25 a task formidable enough to force an attacker to search for 
an easier means. 

Password Protected KTK l^oadinr^ 

Loading the KTK in the clear must be done in a 

30 secure environment due to the importance of the KTK being 
at the top of the key hierarchy. If the KTK is known, or 
ascertained, then the DTK can be altered to one known by 
the would-be thief. Gaining control of the DTK will then 
allow the attacker to validate prompts that will request 

35 secure data to be entered while the SM is in clear text 

mode. Thus, the attacker could collect PINs in unencrypted 
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form. This problem is further reduced by using a password 
in combination with the KTK, 

The resetting of the security counter is controlled 
by an access parameter which is the password encrypted by 
5 the KTK (i.e. eKTK (password) ) . Since this access parameter 
requires knowledge of both the KTK and password, it is 
highly unlikely the attacker would try to gain access to 
resetting the security counter. The security counter is 
also recording each unsuccessful attempt to gain access to 
10 it. 

Although various preferred embodiments of the 
present invention have been described herein in detail, it 
will be appreciated by those skilled in the art, that 
variations may be made thereto without departing from the 
15 spirit of the invention or the scope of the appended 
claims . 
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THE EMBODIMENTS OF THE INVENTION IN WHICH AN EXCLUSIVE 
. PROPERTY OR PRIVILEGE IS CLAIMED ARE DEFINED AS FOLLOWS: 

1. A debit terminal comprising a secure module^ a 

5 display/ a keyboard and a non-secured portion, said secure 
module controlling the communication of data and prompts 
between said keyboard / said display, and said non-secured 
portion of said terminal in either clear text mode or 
secure text mode, said keyboard allowing the entry of 

10 either clear text or secure text, said non secured portion 
of said terminal having a predetermined group of paired 
prompts and authentication parameters that are authorized 
for clear text mode, said secure module having confirmation 
means to independently confirm the prompt of a prompt pair 

15 received form said non-secured portion is a proper prompt 
for clear text mode prior to communication of said prompt 
to said display. 

2. A debit terminal as claimed in claim 1 wherein said 
20 confirmation means confirms the prompt of the prompt pair 

is a proper prompt by generating its own authentication 
parameter for the given prompt and only continuing in clear 
text mode if a match is obtained between the generated 
authentication parameter and the authentication parameter 
25 of said pair. 

3. A debit terminal as claimed in claim 2 wherein said 
terminal always defaults to secure text mode and each 
prompt in clear text mode is independently confirmed by 

30 said confirmation means prior to continuing in clear text 
mode . 

4. A debit terminal as claimed in claim 2 wherein said 
confirmation means independently confirms said 

35 authentication parameter by means of an algorithm using 
said prompt as one key. 



wo 94/07219 




PCT/CA93/00372 



5. A debit terminal as claimed in claim 4 wherein said 
secure module includes two additional keys for said 
algorithm which are used in generation of said 
authentication parameter. 

5 

6. A debit terminal as claimed in claim 5 wherein said 
two additional keys are random numbers generated by said 
secure module . 

10 7. A debit terminal as claimed in claim 6 wherein said 

secure module includes decryption software by means of 
which an encrypted data transfer key provided to said 
terminal is decrypted by said secure module to determine 
the data transfer key with said secure module using said 

15 data transfer key to encrypt data in said secure text mode. 

8. A debit terminal as claimed in claim 7 wherein said 
secure module includes means for receiving pairs of data 
corresponding to a prompt and a control parameter to be 

20 used for clear text mode, and means for confirming the 

received pairs are proper by using said data transfer key 
and an algorithm to produce a secure module control 
parameter which must match the received control parameter 
of said pair for said prompt to be accepted and confirmed 

25 by said secure module and used in clear text mode. 

9. A debit terminal as claimed in claim 8 wherein said 
secure module includes means for generating its own 
separate control parameter for each prompt received for 

30 clear text mode and each prompt and separate control 

parameter are stored in said non secured portion of said 
terminal . 

10. A point of purchase terminal comprising a display, 
35 a secure module, a keypad, a non secure module, a 

communication port for communicating with an outside 
source, said terminal operating in either a clear text mode 
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where data is transmitted in a non coded manner and in a 
secure text mode where data is transferred in a coded 
manner, said secure module including means for receiving 
prompts to be used in clear text mode and means for 
5 generating an authentication parameter for each prompt and 
means for transmitting and storing each paired prompt and 
authentication parameter in in said non secure module, said 
nonsecure module including means for including means for 
instructing said secure module to operate in clear text 

10 mode and to provide pairs of prompts and authentication 

parameters to said secure module in clear text mode, said 
secure module when operating in clear text mode including 
means for confirming each prompt by regenerating the 
authentication parameter for the prompt and only 

15 transmitting the prompt to said display terminal if the 
regenerated authentication parameter matches the 
authentication parameter provided with the pair. 

11. A debit terminal as claimed in claim 10 wherein 

20 said terminal includes in said secure module means for 

receiving inputted prompts and authentication parameters to 
be used in clear text mode and confirming the prompt is 
proper based on an evaluation of said authentication * 
parameter . 



said secure module after confirming a received inputted 
prompt is proper uses said means for generating to pair 
said proper prompt with a new authentication parameter 
30 which are subsequently stored in said non secure module. 



25 



12. 



A debit terminal as claimed in claim 11 wherein 
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